layer7 doesn't seem to work well with gentoo-sources-2.6.17-r4. This is with iptables-1.3.5-r1: # iptables -A FORWARD -m layer7 --l7proto bittorrent -o br0 -j DROP iptables: Unknown error 4294967295 and with iptables-1.3.5-r3: # iptables -A FORWARD -m layer7 --l7proto bittorrent -o br0 -j DROP iptables: Invalid argument During kernel compilation I get this: ... CC net/ipv4/netfilter/ipt_layer7.o net/ipv4/netfilter/ipt_layer7.c:460: warning: initialization from incompatible pointer type net/ipv4/netfilter/ipt_layer7.c:461: warning: initialization from incompatible pointer type ... When I remerge iptables, I get messages of this kind: "* For layer 7 support emerge net-misc/l7-filter-2.1 before this" I would like to emerge 2.1, but that doesn't exist in portage! I'd like to use a stable version, but 1.4 doesn't even work with gentoo-sources-2.6.16-r*. That's why I switched to l7-filter-2.2, which now also doesn't work with the latest gentoo-sources. Unfortunately, there now is no version at all in portage that works with the latest gentoo-sources. Hopefully, there will be a stable one soon. Please let me know if you need anymore infos or how I can help! oh, btw: # grep _IP_NF_ /usr/src/linux/.config CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CONNTRACK_NETLINK=y CONFIG_IP_NF_CT_PROTO_SCTP=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_NETBIOS_NS=y CONFIG_IP_NF_TFTP=y CONFIG_IP_NF_AMANDA=y CONFIG_IP_NF_PPTP=y CONFIG_IP_NF_H323=y # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_MATCH_LAYER7=y # CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_IPRANGE=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_MATCH_ADDRTYPE=y CONFIG_IP_NF_MATCH_HASHLIMIT=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y # CONFIG_IP_NF_TARGET_ULOG is not set CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_SAME=y CONFIG_IP_NF_NAT_SNMP_BASIC=y CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_NAT_AMANDA=y CONFIG_IP_NF_NAT_PPTP=y CONFIG_IP_NF_NAT_H323=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_TTL=y CONFIG_IP_NF_TARGET_CLUSTERIP=y CONFIG_IP_NF_RAW=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y
Manually patching the kernel with the sources netfilter-layer7-v2.3.tar.gz from http://l7-filter.sourceforge.net/ works fine. Unpack the source and apply both patches with: cd /usr/src/linux patch -p1 < iptables-layer7-2.3.patch patch -p1 < kernel-2.6.17-layer7-2.3.patch make sure, you have compiled iptables with useflag "extensions", to do so: echo "net-firewall/iptables extensions" >> /etc/portage/package.use and remerge iptables. Finally, make sure to enable Layer7 in the config.
i'd even go the latest version of iptables which uses the l7filter use flag. I'll look at getting some later versions stabilised soon and old versions purged. The 'iptables: Unknown error 4294967295' and 'iptables: Invalid argument' are due to the iptables not being compiled after l7-filter support is added to the kernel.
If the error messages only come from iptables not being reinstalled after having l7 support in the kernel, the following should work: 1. emerge -C l7-filter l7-protocols 2. emerge -C gentoo-sources-2.6.17-r4 3. rm -rf /usr/src/linux /usr/src/linux-2.6.17-gentoo-r4 4. emerge gentoo-sources-2.6.17-r4 5. ln -s /usr/src/linux-2.6.17-gentoo-r4 /usr/src/linux 6. emerge l7-filter-2.2 l7-protocols-2006.06.03 7. CONFIG_IP_NF_MATCH_LAYER7=y 8. make && make modules_install 9. USE="l7filter" emerge iptables-1.3.5-r3 10. reboot (the kernel above of course ;-)) Well, it did not work! I did try patching with l7 v2.3 patches manually, but without success. Ok, I admit I didn't try very hard. But as the l7-filter ebuild seems to be necessary, manually patching with another patch seems to mess everything up (eg. ebuild fails). @Daniel: I guess this bug can be interpreted as a version bump request to l7-v2.3, although I don't know if 2.3 does the job. I will do some testing...
I can also confirm 'iptables: Unknown error 429496729" Firestarter stop working after install 2.6.17-r4 kernel.
update: I also trayed advises from comment 2 and 3 but CONFIG_IP_NF_MATCH_LAYER7 is not present after pathes in .config i dont know what to do so im falling back to 2.6.16-r13 kernel Sry for english
Ok i'am found it you nust check "Connection tracking (required for masq/NAT) (IP_NF_CONNTRACK)" and CONFIG_IP_NF_MATCH_LAYER7=y will by visible :P
(In reply to comment #2) > i'd even go the latest version of iptables which uses the l7filter use flag. This is not neccessary, the latest stable iptables work fine, the only thing: iptables needs to be installed with extensions support. A reemerge of iptables after patching the kernel with the two patches included in the source is not neccessary.
(In reply to comment #3) > If the error messages only come from iptables not being reinstalled after > having l7 support in the kernel, the following should work: > ... > Well, it did not work! It can't work, since the kernel 2.6.17 needs a different patch. The l7-filter patch of version 2.2 will only work for kernel 2.6.16.x and not for kernel 2.6.17.x > > I did try patching with l7 v2.3 patches manually, but without success. Ok, I > admit I didn't try very hard. But as the l7-filter ebuild seems to be > necessary, manually patching with another patch seems to mess everything up > (eg. ebuild fails). Nothing would be messed up, since you only patch the kernel sources and nothing else is touched. > @Daniel: I guess this bug can be interpreted as a version bump request to > l7-v2.3, although I don't know if 2.3 does the job. I will do some testing... Yes, it is a version bumb.
(In reply to comment #8) > > I did try patching with l7 v2.3 patches manually, but without success. Ok, I > > admit I didn't try very hard. But as the l7-filter ebuild seems to be > > necessary, manually patching with another patch seems to mess everything up > > (eg. ebuild fails). > > Nothing would be messed up, since you only patch the kernel sources and nothing > else is touched. You're right, it works applying the patches manually, thanks! With 'messed up' I meant that the l7-filter ebuild doesn't work anymore as soon as the new patches have been applied. This is understandable of course, as the 2.3 patch can't be reversed with 2.2. I had troubles with the ebuild and the kernel source. After some combination of emerging, unmerging of l7-filter-2.2 and applying patches 2.3, I messed up the kernel source and couldn't even do 'make menuconfig' anymore.
kernel 2.6.17-r4 successfully patched by hand with l7-filter 2.3 Both patches applied without errors. System is running stable since 2006-07-25 for almost 3 days. layer7-match works and iptables filters as expected. Dependency needs to be set for l7-filter-2.2 since it does not work with 2.6.16.x kernel sources.
(In reply to comment #10) > kernel 2.6.17-r4 successfully patched by hand with l7-filter 2.3 > > Both patches applied without errors. > > System is running stable since 2006-07-25 for almost 3 days. > > layer7-match works and iptables filters as expected. > corrected: Dependency needs to be set for l7-filter-2.2 since it DOES NOT WORK WITH 2.6.17.x kernel sources.
Thanks cilly, Piotrek and R!tman Sorry i was wrong in comment #2. I've added l7-filter-2.3 iptables-1.3.4-r4 also contains the latest patch there too. I couldn't do dependencies because the kernel sources could be anything. I did however put a explicit die into 2.2 and 1.4 if you used a too modern kernel. Because of the kernel priviledge escalation bugs (that are fixed in 2.6.17) can you please reminded me to push for 2.3 to go stable in 30days. Hope I haven't needed to reply to any other comments here. just ask if I have.
(In reply to comment #12) > I've added l7-filter-2.3 > iptables-1.3.4-r4 also contains the latest patch there too. Do you really mean iptables-1.3.4-r4? To point out again: iptables itself does not need any patch, iptables needs only to be compiled with extensions. The two patches, which are included in the l7-filter source patch only kernel sources. The patch iptables-layer7-2.3.patch patches the netfilter extensions in the kernel source so iptables can use the layer7 match extensions. The patch kernel-2.6.17-layer7-2.3.patch patches the kernel source to be able to compile the kernel with Layer7 support. > Because of the kernel priviledge escalation bugs (that are fixed in 2.6.17) > can you please reminded me to push for 2.3 to go stable in 30days. of course :-)
(In reply to comment #12) > Thanks cilly, Piotrek and R!tman Thank YOU! > I've added l7-filter-2.3 > iptables-1.3.4-r4 also contains the latest patch there too. Using both, works without any troubles :-)! > Because of the kernel priviledge escalation bugs (that are fixed in 2.6.17) can > you please reminded me to push for 2.3 to go stable in 30days. I'll do that! I guess you'll also want the corresponding iptables version stablized. (In reply to comment #13) > Do you really mean iptables-1.3.4-r4? > > To point out again: > > iptables itself does not need any patch, iptables needs only to be compiled > with extensions. The two patches, which are included in the l7-filter source > patch only kernel sources. The patch iptables-layer7-2.3.patch patches the > netfilter extensions in the kernel source so iptables can use the layer7 match > extensions. The patch kernel-2.6.17-layer7-2.3.patch patches the kernel source > to be able to compile the kernel with Layer7 support. You're probably right about that, iptables-1.3.5-r4 is not really needed. But I guess it's a reasonable approach to include the iptables-layer7-2.3.patch in iptables, not l7-filters. Therefore, if you follow that approach, you do need this version. Otherwise the patch is not applied.
(In reply to comment #14) > You're probably right about that, iptables-1.3.5-r4 is not really needed. But I > guess it's a reasonable approach to include the iptables-layer7-2.3.patch in > iptables, not l7-filters. Therefore, if you follow that approach, you do need > this version. Otherwise the patch is not applied. iptables-layer7-2.3.patch does not patch iptables at all! In my opinion, the iptables-layer7-2.3.patch has a name which gives wrong conclusions. It should be named: netfilter-layer7-2.3.patch or iptables-extension-layer7-2.3.patch. I do not see an advantage to include this patch into iptables itself, since iptables can use the netfilter extensions in the kernel sources. Keep in mind: iptables does not need to be recompiled, if the layer7-patch changes, compiling the new kernel and iptables needs only to be restarted and it loads the newly built extension. In my opinion it is a disadvantage to include the layer7-patch into iptables, since upon a layer7-change, you need to compile the kernel AND iptables. Therefor, I advise to stay with the "extensions"-useflag in iptables.
(In reply to comment #12) > Because of the kernel priviledge escalation bugs (that are fixed in 2.6.17) can > you please reminded me to push for 2.3 to go stable in 30days. This is the reminder.
he current stable version of l7-filter (1.4) will not compile with a2.6.12(?) kernels and above. l7-filter-2.3 compiles will 2.6.17 and hopefully later versions. Please bump this to stable and purge earlier versions. Test Plan: (thanks R!tman) 1. emerge ~l7-filter-2.3 ~l7-protocols-2006.06.03 2. CONFIG_IP_NF_MATCH_LAYER7=m/y IP_NF_IPTABLES=m/y IP_NF_CT_ACCT=m/y IP_NF_CONNTRACK=m/y EXPERIMENTAL=y 3. make && make modules_install 4. USE="l7filter" emerge ~iptables-1.3.5-r4 5. modprobe lreboot (the kernel above of course ;-)) 6. iptables -A FORWARD -m layer7 --l7proto bittorrent -o {interface} -j DROP 7. watch bittorrent fail. if this all works well can l7-filter-2.3 l7-protocols-2006.06.03 iptables-1.3.5-r4 please be marked stable.
err hit enter too soon. step 5: modprobe ipt_layer7 diff -u iptables-1.3.5-r1.ebuild iptables-1.3.5-r4.ebuild shows the only difference is the l7-version used and small changes to the mechanics of USE flags.
This works for me, but in step 7 I watched limewire fail ;-). And I didn't do modprobe, as I didn't compile as module. Nevertheless, I only tested with gentoo-sources-2.6.17-r4, yet. As soon as other sources become stable I will test with those too.
I use the latest stable iptables with useflag "extensions" and the l7-filter-2.3 with the latest stable kernel 2.6.17-gentoo-r4. Everything works fine. layer7 filtering does it's job perfectly.
Just tried gentoo-sources-2.6.17-r7 which has gone stable. Same thing, works like a charm, using the exact steps mentioned by dragonheart. I again only tried limewire, which was successfully blocked. Seems stable to me :-). Dragonheart, thanks for administrating this!
(In reply to comment #21) > Just tried gentoo-sources-2.6.17-r7 which has gone stable. Same thing, works > like a charm, using the exact steps mentioned by dragonheart. > I again only tried limewire, which was successfully blocked. > > Seems stable to me :-). > > Dragonheart, thanks for administrating this! Oops! Sorry, Daniel Black, thanks to YOU! Sorry, mixed that up, I somehow thought your nickname was dragonheart...
please, mark stable!
In x86: Compiles and works fine, i tested it with bittorrent. distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ " LINGUAS="" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.belnet.be/packages/gentoo-portage" USE="x86 X bitmap-fonts bzip2 cairo cdr cli crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer gtk hal input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Stabled on ppc: - l7-filter-2.3 - l7-protocols-2006.06.03 - iptables-1.3.5-r4
(In reply to comment #25) > Stabled on ppc: > - l7-filter-2.3 > - l7-protocols-2006.06.03 > - iptables-1.3.5-r4 What about amd64 and x86? Are there still issues?
(In reply to comment #26) > > What about amd64 and x86? Are there still issues? > the amd64 stabilization it's up to the maintainer, since they(amd64) don't have any version stabilized. For x86...hm...you'll have to wait :)
Hi Daniel, Since the Bug was reported 2006-07-25 I was using l7-filter 2.3 in a production x86 system under all 2.6.17.x kernels. It is time to mark it stable. cilly
Stabled on ppc: - l7-filter-2.3 - l7-protocols-2006.06.03 - iptables-1.3.5-r4" sed -i 's/ppc/x86/' I'm marking this as FIXED since amd64 never had a stable version. If they want to stabilize this, they can REOPEN.